I was able to resolve this by mapping global Roles with the appropriate
names to the client scope, disabling full scope and assigning the roles.
They match exactly the name as I use them in Meraki.
I then created a Role Mapper with Role list type. The Role attribute name
is: role, friendly name: Role and used SAML Attribute NameFormat: Basic and
enable Single Role Attribute.
I'm able to login properly now and the snippet below is what the proper
role attribute looks like in SAML:
<saml:Attribute FriendlyName="Role" Name="role" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue
xsi:type="xs:string">IT
</
saml:AttributeValue>
I was missing the Name="role" part of the attribute with the User
Properties and User Attributes, which broke login. All user roles can now
login properly to Meraki with the proper rights. :)
--
Aaron Echols
On Thu, Apr 25, 2019 at 5:45 PM Aaron Echols <aechols(a)bfcsaz.com> wrote:
Hi,
I just wanted to see if anyone had any other ideas about this. Thanks! :)
--
Aaron Echols
On Sun, Apr 21, 2019 at 8:26 PM Aaron Echols <aechols(a)bfcsaz.com> wrote:
> Hello All,
>
> I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
> Keycloak be setup for idP initiated SSO, which I've configured. I have
> everything working great, but I'm running into an issue where Keycloak will
> not passthrough a SAML attribute using mappers.
>
> Per the docs here:
>
https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboa...
>
> I need to pass a role attribute through that matches what I've setup as
> the SAML Administrator Roles in Meraki. I've done that and have a role
> setup as IT, Management, etc.
>
> In Active Directory the 'department' attribute is set to the role that is
> needed. I've created the federated mapper 'dept' that is mapped to
> 'department' in AD. Users in Keycloak have that attribute populated
> successfully with the correct data.
>
> In the client for Meraki, I've created a mapper name '
>
https://dashboard.meraki.com/saml/attributes/role' and set the it as a
> 'user property' with a property of 'dept' and a general friendly name
and
> then set the 'SAML Attribute Name' to role.
>
> Looking at the SAML login, this never is passed through at all. The only
> way I can get it to pass a role value of 'IT' is by creating a
'Hardcoded
> Attribute' with a 'Attribute Value' of 'IT' with a mapper name of
'
>
https://dashboard.meraki.com/saml/attributes/role';, it will then login
> successfully to Meraki. There are other groups that will be logging into
> Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
> transaction when hardcoding the attribute:
>
> <saml:Attribute
> FriendlyName="Department"
> Name="role"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> <saml:AttributeValue
>
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> "
> xsi:type="xs:string">IT
> </saml:AttributeValue>
>
> I've never had this issue of passing other attributes through before, can
> anyone let me know if I'm going about this wrong and if so, what am I
> missing? Thanks :)
> --
> Aaron Echols
>